Cyber Command struggles to define its place on a shifting battlefield

By Aliya Sternstein

August 16, 2012

The U.S. Cyber Command, which directs network offensive operations for the Pentagon and protects its networks, is becoming more open about the military’s capabilities in cyberspace. Recently, the Defense Department was forced to show part of its hand when leaks surfaced about U.S.-manufactured cyber weapons and cyber espionage missions. Still, since 2011, the department has told the world it stands prepared to protect U.S. national security interests through cyberspace maneuvers.

With intrusions becoming ever more frequent and public—Defense and the Office of the Director of National Intelligence have called Chinese hackers a continuing and concerning threat—the military is focusing its constrained budgets on cyber. The Pentagon in January announced a spending strategy that switches priorities from ground wars in the Middle East to the Asia-Pacific maritime region and cyber operations.

But a cyber fighter shortage and the U.S. force’s dedication to civil liberties may be dragging down the agenda.

Cyberspace demands a new breed of warrior whose skills are scarce even by private sector standards. Troop size aside, cyber weapons could backfire on U.S. civilians, because of the amorphous nature of the cyber domain. And the very idea of an Internet corps scares the people Cyber Command aims to protect: Americans who value free speech and free markets.

The Pentagon is cognizant of the staffing, privacy and security challenges of mobilizing in cyberspace, current and former military officials say. Defense knows the competition for able cyber professionals presents a hurdle, but the command stands ready to vie for them using special incentives. The extras that Gen. Keith Alexander, head of Cyber Command, has mentioned include bonuses like the ones pilots and nuclear officers receive, as well as opportunities for education and advanced degrees.

Operations online likely will require a combination of physical and mental acuity if the recent Stuxnet campaign is any indication. The U.S.-Israeli-engineered computer virus that reportedly seized Iranian nuclear centrifuges was inserted manually through a jump drive, rather than propagated over the Internet from a safe distance. The Pentagon plans for cyber specialists from the Air Force, Army, Marines and Navy to coordinate with Cyber Command headquarters in Maryland on executing operations abroad, according to Alexander.

“One of the challenges is finding and holding the people we need to do this mission. We have to recruit, train and retain a cyber cadre that will give us the ability to operate effectively in cyberspace for the long term,” Cyber Command spokesman Col. Rivers J. Johnson Jr. says. “Gen. Alexander has indicated that it is going to take time for us to generate the force,” Johnson says, adding the Cyber Command chief is optimistic he eventually will get the specialized force desired.

Once troops are in place, activating them may require patience, due to the risk of accidentally unleashing viruses into the wild. The Flame worm, a suspected U.S. government invention, has long been harvesting information from computers in Middle Eastern countries using a compromised Microsoft product. Microsoft had to block three of its own digital certificates to stop less well-intentioned programmers from exploiting the weakness. Stuxnet, which undermined a computer system that operated nuclear plant equipment, could theoretically ram other Iranian infrastructure, such as civilian water utilities, for instance.

Another complication with an armament such as Flame is the potential for eavesdropping on communications between innocents. Kaspersky Labs, the security firm that discovered the cyber spy tool, describes the bug as “the largest cyber weapon to date,” referring to its 20 megabytes. The worm can scoop up massive amounts of valuable information such as screen shots of online chats, audio recordings from internal microphones and storage files. Many American privacy activists and foreigners are nervous about proposed legislation that would let U.S. intelligence and military communities scan citizens’ correspondence for signs of illicit activities and viruses embedded by nation state actors.

Both big business and human rights activists—not always best friends—are largely on the same side about any government regulations that demand sensitive information in return for greater computer protections. As much as civil libertarians would like the United States to facilitate the free flow of information in oppressive regimes, they aren’t so eager if it means monitoring all digital messages to find the bad guys.

Yet, on the whole, some former government hackers say they’ve been surprised to see the Obama administration taking considerable care to minimize such civil liberties and cybersecurity risks. Recently uncovered attacks have involved “techniques that could have been used against us just as effectively,” says Dave Aitel, chief executive officer of cybersecurity firm Immunity Inc. and a former National Security Agency computer scientist. He was referring to the chance of a cyber backlash if adversaries figured out how to apply the same tactics against U.S. citizens.

The order to implant the Stuxnet virus reportedly was made after thorough deliberation by the highest power in U.S. government—and not a Pentagon official. Defense’s strategy for operating in cyberspace states the commander in chief has the ultimate say-so to engage in confrontations. “Obama has to say yes or no,” Aitel says. “It’s not completely like ‘Go crazy, Cyber Command.’ ”

Pentagon officials have said they strongly respect Americans’ rights during operations. Defense spokeswoman Lt. Col. April Cunningham says, “DoD is committed to protecting the individual privacy of communications on the Internet and the civil liberties of the American people.”

Retired Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance, says the U.S. government will never have 100 percent assurance that a cyber offensive will work as planned. Americans, however, have more to fear from adversaries and cyber crooks than from feds. “I’m not terribly concerned about the U.S. government spying on us,” says Casciano, now a private consultant.

Some former Defense officials say cyber weapons are subject to the 1978 Foreign Intelligence Surveillance Act, which regulates the monitoring of U.S. international communications during counter-espionage activities. “All new cyber weapons must adhere to all the U.S. federal laws,” says retired Air Force Lt. Gen. Harry Raduege Jr. Or, more specifically, “it’s U.S. people who employ cyber weapons who are subject to FISA. It’s really the people.” Raduege is now chairman of the Deloitte Center for Cyber Innovation.

Casciano says he trusts the current legal framework will protect Americans in cyberspace.

Many civil liberties activists have argued otherwise, based on their long-standing criticism of FISA for sweeping up Americans’ calls, emails and text messages. Flame so far has spread in a controlled manner among certain nation-state groups and academic institutions and has not self-replicated, according to Kaspersky researchers.

Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare (O’Reilly Media, 2009), makes a distinction between cyber weapons intended to destroy systems such as Stuxnet, and cyber espionage tools such as Flame that compromise systems. With cyber weapons, collateral damage could harm civilians who use a targeted network, he says. “How do we know which networks should be targeted and which ones should be off limits?” he says. “I would think that [U.S. officials] would be concerned about their rules of engagement.”

Cunningham notes the Pentagon does not discuss operational matters as a manner of long-standing policy and will not comment specifically on the development of cyber offensive tools. But she says, “DoD will organize, man, train and equip for operating effectively in cyberspace. DoD is in the process of developing the organizations, processes and procedures to ensure that the [combatant commands] have the appropriate cyber force structure and capabilities to operate effectively in their theaters.”